DEFCQN + 


2) 


H 


STAINWNG 
PARTNER 


XFUTURESECURITY 


МЕССОМЕЖОТОВРЕ СОМ CHINA [BETA] 


On behalf of DEF CON, Baidu Security, and XFuture 
Security, it is my honor to welcome you to DEF CON 
China [Beta], the first ever held outside of the USA! 


For over 25 years DEF CON has constantly evolved, 
from 100+ people at DC 1 to over 25,000 at DC 25, 
and has created а culture of its own. At DEF CON it 
is your idea that counts, not what you look like, how 
much money you make, how old you are or what 
kind of music you like. You need the freedom to ask 
questions and be able to change your opinions. 


It is expected that attendees ask speakers questions, 
challenge what they think is incorrect, and to improve 
things. Good ideas get tested, and at DEF CON | want 
to build an environment where wisdom is challenged 
and people are free to pursue technical truth. 


DEF CON is what you make of it. Attendees 
come up with ideas for contests, villages, new 


With nearly two years of meticulous preparation, 
DEF CON has been carrying 26-year history and for 
the first time out of Las Vegas to Beijing in May, just 


and more inclusive. We hope that with the opportunity 
of DEF CON China, we will build a platform for 
cooperation and exchanges, gather all the strength of 


CONNEC’ 
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QUESTIONS? 


PLEASE->EE-OUR 
GOONS AT THE 
REGISTRATION DESK 
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SSID: DEF CON CHINA 
USERNAME: DEF CON 


PASSWORD: DEF CON 
CHINA 
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DEF CON provides а forum for open discussion 
between participants, where radical viewpoints 
are welcome and a high degree of skepticism 


is expected. However, insulting or harassing 


other participants is unacceptable. We want DEF 
CON to be а safe and productive environment 


for everyone. It’s not about what you look 
like but what’s in your mind and how you 
present yourself that counts at DEF CON. 


We do not condone harassment against any 
participant, for any reason. Harassment 


includes deliberate intimidation and targeting 


individuals in a manner that makes them 
feel uncomfortable, unwelcome, or afraid. 


Participants asked fo stop any harassing 


behavior are expected to comply immediately. 
We reserve the right to respond to harassment 
in the manner we deem appropriate, including 


but not limited to expulsion without refund 
and referral to the relevant authorities. 


This Code of Conduct applies to everyone 
participating at DEF CON - from 
attendees and exhibitors to speakers, 
press, volunteers, and Goons. 


Anyone can report harassment. If you 
are being harassed, notice that someone 
else is being harassed, or have any other 
concerns, you can contact a Goon, go to 
the registration desk, or info hooth. 


Conference staff will be happy to help 
participants contact hotel security, local 
law enforcement, or otherwise assist 
those experiencing harassment to feel 
safe for the duration of DEF CON. 


Remember: The CON is what you make 
of if, and as a community we can create 
а great experience for everyone. 
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THE BADGE 


We present Defcon Beta's year 1 badge! As badge makers, 
our philosophy is that each conference's badge should 

not only reference its history, but create it. DEFCON's 
game-changing electronic badges started an entire 

culture of shared electronics, puzzles, and design. One 

of our favorites informs the medium we use for this first 
badge, DEFCON 18, created by Joe Grand as evidenced 

by our use of aluminum PCBs. The soldermask coloring 
matches that of the standard set by DEFCON where: 


Humans = White 

Press = Green 

Speaker = Blue 

Goon = Red 

Village = Orange/ Yellow 


These anonymous categories are taken out of the 
soldermask layer onto the side of each badge. 
You might think it inconvenient that you can’t 
write your name, but consider that at a hacker 
conference, perhaps the most important piece of 
information you should protect is your identity! 


Since we are being graciously hosted in China, 
it is only fitting that these categories are also, 
for the first time, presented in Chinese: 


Humans = 3z £& - attendees 
Press = 2 88 - media 
Speaker = 24.585 - presenter 


Goon = {38 - staff 


Village = 220292 - villagers 
Each term is inspired by the traditional Chinese seal look. 


Our silkscreen colors are the same across each 
group - though instead of only one silkscreen layer, 
we have 3 to highlight the awesome art! 
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ЕСТЕ (Baidu Capture The Flag) will be held 
during DEF CON China. In the coming BCTF 
competition, it will adopt two levels of ЕВСТРЖ А LEE. PETS 
format which combine online preliminaries ВЕРЕН), ПАНДАН. 
and offline finals. In the finale, four Al d МЯТА 
robot teams, dozens of strong domestic Da E 
СТЕ teams and internationally famous 
teams will compete in à final duel. 
Meanwhile, a security vulnerability will” 
be issued 10 0 public test to win а cash 
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The specific form of the concert which is held for 

DEF CON China Conference on May 12th in 2018 styles respectively including: Jt, “авРобу BASS ERA RE 

is Electronic Music Party. It is a combifation of HOUSE WRU, НЕРЕДЕ ЕР 

electronic music and Rave Party with DJ playing TECHNO Бе, ВИКИ Л 586, PERS 

djing at the scene. This party is entitled DEF CON Ride. RH RACE. О 
China Electronic Night for the reasons that the best DUBSTEP / arr 

music form which is appropriate for “Hacker” and TRANCE aes: 

"DEFCON" is an electronic one, and the live music = 24 рта ти Youdai 

with DJ playing djing is also a best integration with oe i China Electronic Night is mainly A. by Leslie 

computer and network things. Therefore, Electronic ihe electronic music operations team named HANKICK. Doni 


Music Party has become a good performance form 
with characteristics of science and technology and 


HANKICK mainly advocates “HOUSE & TECHNO" live 
performances. DEF CON China.Electronic Night is 
specially designed for DEF CON China Conference 
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is becoming more and more popular in the world. т HOUSE 
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due to the need to channel hop. The #WiFiCactus 


devices. Due to the far-reaching aspect of wireless 
fixes this issue by integrating 50 total radios into 


technology which is integrated into every part of our 

a single device. This enables the user to cover lives is important to fully understand the underlying 

ihe vast majority of the Wi-Fi spectrum. This is technology. This project provides clarity into what is FRIDAY 
especially useful when there is a busy environment ^ — happening in the air waves around us and demonstrates 
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Е US containing hundreds it not thousands ої wireless ihe need Тог encryption. Additionally this project has Е Е Е 

#WIFICACTUS g hundreds if not thousands of wirel he need for encryption. Additionally this project h 12 15-16 8-9 10-11 
Э, ; ЕДІҢ : 
НУМЕНЦА = diss Јо adi for sus e Toros = Mobile App Social Engineering UAC Oday, all day! Decentralized Hacker Net 
by drkquttar used in the WiFi actus are Нак5 Pineapp е Tetras = Attack УО Е - 
but a similar project can be accomplished using any am і Ruben Boonen Eijah 
The #WiFiCactus is a passive wireless monitoring Linux compatible radios. This project uses the open & Sneha Rajguru Valerie Thomas 
a that listens А 50 P TE of un 2 source Kismet software to capture and store the data. [e 
at the same time. The tool is also capable o РА S 
capturing Bluetooth wireless data as well. This 0 б њи ис е a s SATURDAY 
tool uses Kismet to capture the data from the Ba. AWIFHULA GE пиво КЕЗІ қ 
each radio and aggregates them into a single аав, ASCH FH IGE ENTE + [2 15-16 8-9 10-11 
EE es interface. i: m dd SHWE. мая NUT LAE = Mobile App Social Engineering UAC Oday, all day! Decentralized Hacker Net 
capable of identifying wire ess f reats suc Ар, ЖЕЗ НІ. СЕЗСЕ = Attack 2.0 Essentials ade Ellah 
as Broadpwn and Impersonation Attacks. жекен аланы = uben Boonen ја 
AWIFHILA ERR — TRAM RS, ATA RRR. RE DRM ая) es Sieg која МУП EESTI 
WrSO^- WIFUSO.. LT РУЖНЕ BTR sip catus uid on qeu dra 
ig. та коте St EAR ese TE. LESS, АБЕН f РАЈЕ ИВЕ • iFi 5 5 Е т 
e T vii {LA Зе FIT ie Hok5 Pineapple Tetras, (22 E Ncrack and Nmap Scanning the Airwaves Practical Malware Hands-On Exploit 
ЕВА ај БІ, bEdnBroadpwn ASW Lit. ШІ a cr. e LE 5 = Paulino Calderon Richard Henderson Analysis: Hands-On Development 
Д те FESTIS i ° : : : 
More info: http://palshack.org/the-hashtag- WES қ И ^ = igo = Sam Bowne, Devin Duffy- Georgia Weidman 
wifi-cactus-wificactus-def-con-25/ d4rkm4tter is a mad scientist who likes to hack hardware Halseth, & Dylan Smith 
m NN. eee wae and software. He is particularly obsessed with wireless. 
"vs in pes / ue 2 scu s ША отео. He has а degree in computer science which he has put 
Са to use building and breaking a wide variety of systems. SUNDAY 
More Details: Often when capturing wireless data d4rkm4tterz —A- BER ВИ ВАТРЕНО RUE 
for troubleshooting and analysis a single radio is ЕРТТЕП НКТ ТЕГІН 12 15-16 8-9 10-11 
used which leads to lots of information being missed (v, ЕМЕН ЖЕНТ HRS. е Ncrack and Nmap Scanning the Airwaves Practical Malware Hands-On Exploit 
um Paulino Calderon Richard Henderson Ме ВВ IRIS EG OU Bey copie 
s Sam Bowne, Devin Duffy- Georgia Weidman 
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UAC ODAY, ALL DAY! 


Identifying auto-elevating processes 


Halseth, & Dylan Smith 


Using the Bypass-UAC framework 


Analyzing process workflows 


DOWNLOAD ТЫ Dropping Oday(s)! 


UAC ODAY{E Ж, —J AE fee 


PRESENTATI (s ^ = Ruben Boonen Finding UAC bypass targets Auto-Elevation>Triaging Windows RS2: 
MATERIALS AN D MORE _ " e Auto-Elevation? Elevated File Operations: Environment variables 
FROM THE DEF CON This workshop is available to attendees of all levels, 
MEDI А SERVER AT: however, a basic familiarity with Process Monitor and Using the IFileOperation COM object Registry abuse 
= iss ' the Windows API are recommended. The workshop will — Tricking the Process Status API (РЅАРІ) COM objects 
| provide the required knowledge to find, analyze and à : а А Е 
HTTPS://MEDIA. | exploit process workflows which allow an attacker to Auto-Elevation>Getting UAC Oday (Pre Windows RS2): 
DEFCON.ORG/DEF CON elevate their privileges from Medium to High integrity. — Analysis of known UAC bypasses The workshop has intense hands-on labs where 
CHINA 1/ The workshop is divided into the following sections. Understanding the Windows Side-By-Side Assembly — affendees will put the theory into practice. After 
8 Auto-Elevation: Creating proxy DLL's 9 


WORKSHOPS 


attending, you will immediately be able to 
apply this knowledge in the field. The next time 
someone tells you the default UAC settings are 
sufficient you will be able to set them straight! 
REG EAS SIE 0 Windows АРН ЖЗА 
ЖІ, АЛА ДО Pm. ЖӘН ОН ТЕ 
онај. 2975] НА fes. 
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ЗІН eH 

Aib LE RE 

SEKUAC Bypass 
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ће |НеОрегаћоп СОМ 34% 
ШІН ЖОМАЖАР! (PSAPI) 
На ЕЖ-ЖІНШАС Oday (Pre 
Windows К52) 

ЖІНЕЯШАС Bypass 

zafgg Windows Side-By-Side Assembly 

SUE RIEDLLS f 

TIRiBypass-UAC #238 
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Bizliedo——windows RS2 АЕ 
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SEAR i FH 

СОМ» 

xtfgTokens 
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юэ. Эла, MALO 
А Арлу Flex Sus. ТОК MRE SER 
КЕРАК АЧОАС Е , азр EF. 
My пате is Ruben Boonen (@FuzzySec), | have 
been working in InfoSec since 2012. | have a well- 
rounded skill set, having taken on many application, 
infrastructure and bespoke engagements. | have 
however developed a special interest for Windows: 
Domain hacking, exploit development, client-side 
attacks, restricted environments, privilege escalation, 
persistence, post-exploitation and PowerShell! 
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| love breaking stuff but it is equally important to me 
to share that knowledge with the wider community. | 
have previously been a trainer at Black Hat, Def Con 
and various BSides events in the UK. Additionally, | 
maintain а InfoSec blog (http://www.fuzzysecurity. 
com/) where | publish research on a variety of topics! 


FRA) а Кибеп Boonen (@FuzzySec), % 
2012 eB fElnfoSec (ЕБ. ФӘН BASE 
Pj, AE TYFZ ABR, Bansal lA Т. 
TE. dox Windowstb A a4 al AX: Domain 
hacking,. exploit development. client- 
side attacks. restricted environments. 
privilege escalation, persistence. post- 
exploitation ЖІ PowerShell! 

REM, (Вк Ба г 75 
вез а. RS BBlack Hat, Def Соп 
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--Філіобесін (http://www.fuzzysecurity. 
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PRACTICAL MALWARE 
ANALYSIS: HANDS-ON 


MATT AT SAK: SOR 


Sam Bowne 
Devin Duffy-Halseth 
Dylan Smith 


Learn how to analyze Windows malware 
samples, with a hands-on series of projects 
in a fun, CTF-style environment. There are 
four levels of analysis challenges. 


1. Basic static analysis with file, strings, PEiD, 
PEview, Dependency Walker, and VirusTotal 


2. Basic dynamic analysis with Process Monitor, 
Process Explorer, RegShot, and Wireshark 


3. Advanced static analysis with 
IDA Pro Free and Hopper 


4. Advanced dynamic analysis 
with Ollydbg and Windbg 


The first challenges are easy enough for 
beginners, and the later ones get difficult enough 
io interest intermediate security professionals. 
We will demonstrate the challenges, discuss 

the technologies and techniques, and help 
participants get through them as needed. 


These challenges use harmless malware samples 
from the “Practice Malware Analysis” book 
by Michael Sikorski and Andrew Honig. 


All materials and challenges are freely available 
at samsclass.info, including slide decks, video 
lectures, and hands-on project instructions. They 
will remain available after the workshop ends. 
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Sam Bowne has been teaching computer 
networking and security classes at City College 
San Francisco since 2000. He has given talks 
and hands-on trainings at DEFCON, HOPE, RSA, 
B-Sides SF, B-Sides LV, and many other cons. He 
has a PhD and а CISSP and а lot of T-shirts. 


Dylan James Smith Dylan James Smith is a system 
consultant that now studies and assists with classes 
as a tutor and TA for Sam Bowne, helping facilitate 
hands-on workshops at conferences including: 
BSidesLV/SF, DEF CON, and RSA. Currently tearing 
things apart and putting them back together 

while seeking opportunities to practice and teach 
hacking, or “the cybers” depending on the crowd. 


Devin Duffy has assisted Sam Bowne with 
a hands-on workshop at RSA and other 
conferences. He's a Script kiddie 4 lyfe. 


20004F#2, Sam Вомпе  Е ЕШ AS 
АЯЛ Б (Е. hee 
DEFCON, HOPE, RSA, B-Sides SF. B-Sides 
УВ Atha LATE RRR 
ЕЕ З. СБЗРИШЕН—ВЕТИЕ 2 
Dylan James Smith 5 фабат Bowne 

ЖЕБЕЕ CON, RSA, B-Sides [УЕИЊ 
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NCRACK AND NMAP NSE 
DEVELOPMENT FOR OFFENSE 
AND DEFENSE 
МСРАСКЖММАР NSEFF2c У 
205% 


Paulino Calderon 


This workshop will teach participants how to use 
Nmap, the Nmap Scripting Engine (NSE) and Ncrack 
to extend the power and capabilities of Nmap. It 
will cover the basics of the Nmap usage, NSE, and 
the Lua programming language before diving into 
how to solve problems by writing custom scripts and 
modules. By the end of the workshop, you will have 
in depth knowledge of Nmap, Ncrack, the Nmap 
Scripting engine and how to develop NSE scripts 
and Ncrack modules for offensive and defensive 
tasks. Participants will be provided with a virtual 
machine that they can use during the training. 
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Paulino Calderon (@calderpwn) has been in 
Information Security for more than 10 years. He is the 
co-founder of Websec, a company offering information 
security consulting services based in Mexico and 
Canada. He loves learning new technologies, 
conducting big data experiments, and developing and 
destroying software. In 2011 Paulino joined the Nmap 
team during the program Google Summer of Code to 
work on the project as a NSE developer. He focused 


on improving the web scanning capabilities of Nmap 
and has kept on contributing to the project since then. 
He has also published ‘Nmap 6:Network Exploration 
and Security Auditing Cookbook’ and ‘Mastering the 
Nmap Scripting Engine’ covering practical tasks with 
Nmap and NSE development. He loves attending 
information security conferences and has given talks 
and workshops in over 30 events in Canada, United 
States, Mexico, Colombia, Peru, Bolivia and Curacao. 
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DECENTRALIZED HACKER NET 
AiR 05 


Eijah 
As hackers, sometimes we need to send data 
without anybody knowing anything. We don't want 
anybody to know what we're sending, so we use 
encryption. That's the easy part. We also don't 
want anybody to know that we're sending any 
data. That's the hard part. The observation of our 
presence on the network could be enough to get 

us in trouble. And that's just not acceptable. We 
need to figure out a way to hide in plain sight. 


Creating an environment where data can be sent 
securely and our presence on the network is 

hidden, is not an easy thing to do. We can't rely on 
centralized technologies, which means we need to 
build a decentralized network. The network should 
be adaptive and flexible enough to send any type of 
data to any number of users. But how do we inject 
anonymity into a network while still supporting 

the verification of identity between parties? Can 

we establish trust without having to trust? 


This workshop takes you through the process 

of creating а decentralized network that allows 
you to circumvent detection by governments and 
corporations. You'll be able to securely communicate 
and share data while masking your online 
identity. You'll create an adaptive, node-based 
infrastructure where data is shared via Distributed 
Hash Tables (DHT) backed by real-time asymmetric 
Elliptic-curve cryptography (ECC). If you've ever 
wanted to punch a hole through a great (or 
not-so-great) firewall, this workshop is for you. 


Please note that this is a medium-level, technical 
workshop and requires that attendees have 

prior experience in at least one programming 
language, preferably C or C++. Bring your laptop, 
a USB flash drive, and your favorite С/С++ 11 
compiler (>= gcc/g*- 4.9.2 or msvc 2015). 


ЖАа-ТЕЖ, ВЕЛЕ, 38188 ETE CETRLA BB A 
TSN fed E. ЈАВЕ AA ARTS 
THA, ВИХ, ХАННЫ 
BA BRAM, FABLES A MR TEE 
ЖЕ, ПЕТ. ВИМЕ ЕТ 
ARES RATE IRE, ОЗЫП 7. 
ВИП PER BRR 7 Тра Е А075 


П —^ RT А ЗЕ e Per 3E Pe 09241 1. E DD д 0 
WIMEFTRER AWS. SUBE RMA TET 
ZR, ЙЛЕП Е-Е МЕН 
Bo ЗАР ЈУНА ВА ЕЛИЈЕ, ВЕГА 
Гај БЕЖЕ нА CERES RISCÓE. (НЕ, SUE 
TEE fs FH S ЕМ B [es E] ІЛ АНТ US LUZ BA E 

(ӨЛЕ? ОППА ЛЕ ERIS ZU КОНА TENS? 


AMMAN SHR BAP OMS, LER 
BSAA. PPA ERE SH 
л зга SR. MEFS AE 
ТН DRAMA, RPA 
Wate (DHT) KB, Du 
(DHT) FASRAY SER ants el 8% 55845 (ЕСС) 
Xs. MARRS — 383289 ( x EAD 
Asa) Пра, MAX MSRAaK. 


JER, а ор ЕКА, BE 
SEAS AREA MERE, БИРС 
С++, Еа ж. ЈЕНИ С/С++ 
WIEBE (осс/9++2> 4.9.22 MS VC2015) 


Eijah is the founder of Promether and has 20+ years 
of software development and security experience. 
He is also the creator of Demonsaw, an encrypted 
communications platform that allows you to chat, 
message, and transfer files without fear of data 
collection or surveillance. Before that Eijah was 
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a Lead Programmer at Rockstar Games where 

he created games like Grand Theft Auto V. He 

has been a faculty member at multiple colleges, 
has spoken ahout security and development at 
DEFCON and other security conferences, and holds 
a master’s degree in Computer Science. Eijah 

is an active member of the hacking community 
and is an avid proponent of Internet freedom. 
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Richard Henderson is a writer, researcher, and 
ham radio/electronics nerd who has worked in 
infosec and technology for well over a decade. 
Richard is currently co-authoring a book on 
cybersecurity for ICS/Scada systems. 
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SCANNING THE AIRWAVES: 
BUILDING A SIMPLE RADIO 
SCANNING SYSTEM USING 
SDR 


3938808: RISDRSEXZ—" ИЕНІ 
2898619 


Richard Henderson 


Every second of every day, radio communications are 
flying through the air: shortwave radio, broadcast 
AM, FM and television, ham radio users. Taxi drivers, 
buses, parents using small toy radios to keep in touch 
in amusement parks. Have you ever wondered what's 
being said over the air? Many of these systems are 
easily listenable with some basic software and very 
inexpensive hardware dongles originally designed 
for capturing over-the-air television broadcasts. 

This workshop will walk you through the basics of 
radio systems, how they work, and how you can 

set up a listening post to decode these systems and 
listen in. We'll also cover the legalities of listening 

in, and where to find information online about 
popular frequencies fo listen in on. If you have an 
SDR stick, please bring one. A number of sticks 

will be available to borrow for those without. 
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MOBILE APP ATTACK 2.0 
FERNAPPIU 2.0 


Sneha Rajguru 


This full-fledged advance hands-on workshop 
which will get the attendees familiar with the 
various Android as well as 105 application analysis 
techniques and bypassing the existing security 
models in both the platforms. The main objective 
of this workshop is to provide a proper guide on 
how the mobile applications can be attacked and 
provide an overview of how some of the most 
important security checks for the applications are 
applied and get an in-depth understanding of these 
security checks. The workshop will also include a 
CIF challenge designed by the trainer in the end 
where the attendees will use their skills learnt 
during the workshop to solve this challenge. 


This workshop will mainly focus on the following : 


1. Reverse engineer Dex code for security analysis. 


2. Jailbreaking/Rooting of the device and also 
various techniques to detect Jailbreak/Root. 

3. Runtime analysis of the apps 
by active debugging. 

4. Modifying parts of the code, where any 
part can be specified as some functions, classes 


and to perform this check or to identify the 
modification, we will learn how to find and calculate 
the checksum of the code. Our objective in this 
section will Бе їо learn, Reverse Engineering an 
application, get its executable binaries , modify 
these binaries accordingly, resign the application. 


5. Runtime modification of code. Objective is to 
learn how the programs/codes can һе changed ог 
modified at runtime. we will learn how to perform 
introspection or overriding the default behavior of 
the methods during runtime and then we will learn 
how to identify if the methods have been changed). 


For 105 we can make use of tool Cycript, snoop-it eic. 


6. Hooking an application and learn to 
perform program/code modification. 


7. By the end of workshop, based on the course 
content CTF challenges written by the trainer will Бе 
launched, where the attendees will use their skills 
learnt in the workshop to solve the CTF challenges. 


The workshop will begin with a quick understanding 
on the architecture, file system, permissions and 
security model of both 105 and Android platform. 


Newly designed CTF challenges apps (both Android 
and 109 apps) will be distributed to the attendees to 
solve and practice for the mobile app's exploitation. 


NOTE: 


The tools and techniques used in the workshop are 
all open source and no special proprietary tools 
need to be purchased by the attendees for analysis 
post the training. Some of the tools taught in the 
training will be helpful in analysis and automating 
test cases for security testing of the mobile apps: 


Drozer, Introspy, Apktool, Dex2jar, 
Cycript, JD-Gui, SSL Trust killer 
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Sneha works as Senior Security Consultant with 
Payatu Software Labs LLP. Her interests lies in web, 
mobile application security and fuzzing. She has 
discovered various security flaws within various open 
source applications such as PDFLite, Јоббегђазе, 
Lucidchart and more. She has spoken and provided 
trainings at various conferences such as DEFCON, 
BSides LV, BSidesVienna, OWASP AppSec USA, 
DeepSec, DefCamp, FUDCon, and Nullcon. Sneha 

is passionate about promoting and encouraging 
Women in Security and has founded an initiative 
called WINJA-CTF through which she hosts women- 
only CTFs and Workshops at conferences and other 
events. Sneha is also active in the local security 


community and hosts local security meetups in Pune. 


She leads the Pune chapter of null community. 
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SOCIAL ENGINEERING 
ESSENTIALS 

tbe lee 

Valerie Thomas 


Are you a penetration tester in need of social 
engineering training? Perhaps you just want an 
understanding of what social engineering is all 
about. This workshop has something for everyone. 
First we'll begin with the basics of social engineering 
and why it works, then dive into non-traditional 
topics such as spycraft, acting, pressure sales, and 
the psychology behind them. Next we'll build upon 
that knowledge to create social engineering attacks. 
We'll cover the steps of the social engineering 
process from planning to post-attack including 
real-world examples. We'll end the day with the 
basics of appearance hacking and utilizing social 
engineering in physical penetration testing. 
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two. As an ethical hacker and consultant, she holds 
multiple industry certifications. Valerie is the coauthor 
of “Building an Information Security Awareness 
Program: Defending Against Social Engineering and 
Technical Threats” with Bill Gardner. Throughout 
her career, Valerie has conducted penetration tests, 
vulnerability assessments, compliance audits, 

and technical security training for executives, 
developers, and other security professionals. She 
has provided briefings and workshops for DEF CON, 
Derbycon, Blackhat, and multiple BSides events. 
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Valerie Thomas is an Executive Information Security 
Consultant for Securicon LLC that specializes 

in social engineering and physical penetration 
testing. After obtaining her bachelor’s degree in 
Electronic Engineering, Valerie led information 
security assessments for the Defense of Defense 
before joining private industry. Her unique Defense 
and civilian background provides her with a solid 
understanding of intrusion detection, data loss 
prevention, and endpoint (in)security. Her electronic 
and RFID training became а crucial element of her 
physical security specialization. While some choose 
to focus on cyber of physical security, she has chosen 
to exploit the weaknesses of the combination of the 


Georgia Weidman 


This course will provide a hands-on foundation in 
discovering and exploiting memory corruption issues. 
Complex memory corruption issues are discovered 

in software by security researchers regularly, 
resulting in bug bounties and exploit sales. In this 
workshop we will discuss how memory corruption 
works and gain some experience using the tools of 
the trade for developing working exploits such as 
GDB, Immunity Debugger, and Mona.py. Participants 
will exploit beginner friendly examples of common 
memory corruption issues allowing students to get 
familiar with how memory corruption works without 
getting stuck behind all the latest and greatest 
anti-exploitation methods. Both Windows and 

Linux examples will be included. Students will be 
provided with target virtual machines with vulnerable 
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software running as well as additional exercises for 
continued practice after class. By popular demand 
this course has moved fo more modern operating 
systems, though the bugs used are still beginner 
friendly. Exploits will be written in the Python 
programming language but exploit skeletons will 
һе provided for those unfamiliar with the language. 
This workshop prepares students for future study in 
vulnerability discovery and exploits development. 
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Shevirah founder and СТО Georgia Weidman is a 
serial entrepreneur, penetration tester, security 
researcher, speaker, trainer, and author. She holds 

a MS in computer science as well as holding CISSP, 
CEH, and OSCP certifications. Her work in the field 

of smartphone exploitation has been featured 
internationally in print and on television. She has 
presented or conducted training around the world 
including venues such as NSA, West Point, and Black 
Hat. Georgia founded Bulb Security LLC, а security 
consulting firm specializing in security assessments/ 
penetration testing, security training, and research/ 
development. She was awarded a DARPA Cyber Fast 
Track grant to continue her work in mobile device 
security culminating in the release of the open source 
project the Smartphone Pentest Framework (SPF). She 
founded Shevirah Inc. to create product solutions for 
assessing and managing the risk of mobile devices 

in the enterprise and testing the effectiveness of 
enterprise mobility management solutions and is a 
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graduate of the Mach37 cybersecurity accelerator. 
She is the author of Penetration Testing: A Hands-On 
Introduction to Hacking from No Starch Press. She 


was the recipient of the 2 


015 Women’s Society of 


CyberJutsu Pentest Ninja award. She is on the board 


of advisors of the angel b 


acked security training 


startup Cybrary and the nonprofit Digital Citizens 


Alliance and is а member 
National Visiting Committ 


of the CyberWatch Center's 
ee. She served as a judge 


for the ЕТС Home Inspector 107 security challenge. 
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VILLAGES 


LOCKPICK VILLAGE 
2nd Floor, Room 5 


5S Sane 

http://toool.us/ 

Want to tinker 

tools the likes of | OOS 

which you've only 

seen in movies 

by the Lockpick Village, run by The Open Organization 

Of Lockpickers, where you will have the opportunity to 
learn hands-on how the fundamental hardware of physical 


with locks and 
featuring police, spies, and secret agents? Then come on 
security operates and how it can be compromised. 


The Lockpick Village is a physical security demonstration 
and participation area. Visitors can learn about the 
vulnerabilities of various locking devices, techniques 
used to exploit these vulnerabilities, and practice on 
locks of various levels of difficultly to try it themselves. 


Experts will be on hand to demonstrate and plenty of 
trial locks, pick tools, and other devices will be available 
for you to handle. By exploring the faults and flaws 

in many popular lock designs, you can not only learn 
about the fun hobby of sport-picking, but also gain 

a much stronger knowledge about the best methods 
and practices for protecting your own property. 
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Al VILLAGE 

3rd Floor, Room 20 

20 € WE 
https://twitter.-com/aivillage, dc 
The Al Village at DEFCON 
is a place where experts in 
Al and security (or both!) 
can come together to 

learn and discuss the use, 
and misuse, of artificial 
intelligence in traditional 
security. Artificial Nar о 
Learning techniques are 

rapidly being deployed in core security technologies like 
malware detection and network traffic analysis, but their 
use has also opened up a variety of new attack vectors 
against the systems that use them. Using techniques 

such as Generative Adversarial Networks, would-be 
attackers could target non-traditional platforms, such as 
deep learning based image recognition systems used in 
self driving cars. These same attack methods could be 
leveraged to extract confidential training data from a 
deployed model itself, adding another layer of privacy 
and security risks fo an ever-growing list of concerns. 


The Al Village will explore these issues and encourage 
open discussion for possible solutions (and any 
interesting attacks the attendees can come up with). 
For those who would rather learn through practice, a 
practice workshop session will also be available. 


Come participate in introductory workshops where you 
can learn how to use (and misuse!) machine learning 
models as part of your arsenal. Talks include: 


- А discussion of the recently released 
report on the Malicious Use of Al 


- Red-teaming machine learning systems 
using adversarial techniques 


- Vulnerabilities of machine learning tools 
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R HACKING VILL АСЕ 


еа entrance 


https://www-carhackingvillage-com/ 


Car Hacking Village is 

an interactive, hands-on 
village with the goal of 
teaching village goers 
what car hacking is, 
introducing village goers 
to the tools of car hacking, 
and working with hackers 
fo create a community 

of car hackers at DEF CON China. 
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Recon Village is an Open 

Space with Talks, Live Demos, 

Workshops, Discussions, CTFs 

with a common focus on 

Reconnaissance. The village 

is meant for professionals 

interested in areas of Open 

Source Intelligence (OSINT), 

Threat Intelligence, Reconnaissance, and Cyber Situational 
Awareness, etc. with a common goal of encouraging 
and spreading awareness around these subjects. 


{i#Villagek—TAME [8]. BHAA 
жне, Mina, Bits, Wie, СТЕ. ix 
A Village ји IFA 8 8E (OSINT) ЕМЕ 
ik, ЕЛІК У али POR М 
Ac. ЕЛ ВЈ ВЕЗЕ RNAI. 
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HARDWARE HACKING 
VILLAGE 

Ballroom С 

Хвесћ 

https://www-dchhv-org 


HH! 


my 


Lots of prizes to go around, and lots of puzzles 
to learn new things or show off your skills. 


Come join us 
for hardware 
hacking, 
teaching, 


learning, and | || 


exploration. 


ROAR MME ЕМ ЛЕ, ЖР, AVA 
RAR. НИЖА, МАНУЕЛ] 
АНАР ЕТЕ ЕЕ АН с ВЕ 


PACKE i HACKING WAT 1. AGE 
опа Floor, Rooms 7-8 

7-8 521% 

https://www-wallofsheep-com/ 

The Packet Hacking Village 
is where you'll find network 
shenanigans and a whole 
lot more. PHV welcomes 

all DEF CON attendees 

and there is something 

for every level of security 
enthusiast. This village 

was created to help 
enlighten attendees through education and awareness 
while focusing on defense and blue team techniques. 


Жавел RE village, WRB MB 
RAR ES ARAB. . ЖИВАЉ ИЕ 
уПасех pr DEFCONS Жа, JEEDSGHT- 
о ЕЛУ. маде 
NEAT WT MMI БЖ 
6, ПАРА БИ ls. 
BLUE TEAM VILLAGE 

3rd Floor, Room 1H 

19 5-21 
https://twitter.com/BlueTeamVillage 

For many, DEF CON 
epitomizes hacking which 
traditionally involves an 
offensive mentality. However, 
in recent years, attacks 


16 


have become trivially easy to exploit in any environment 
meaning that effective defense has been difficult. Defenders 
have to deal with legacy, politics, and resource constraints 
and typically have less public information on how to best 
protect their environment when compared to the red 

side. This leaves defenders at DEF CON feeling а bit left 

out with most, if not all, of the content favoring red. This 
village is a DEF CON paradigm shift providing an area 
where Blue Teams can gather, learn basic and advanced 
defensive techniques, swap war stories, and have fun. 


Blue Team Village at DEF CON (BTV) promotes defensive 
security knowledge and its dissemination throughout 

the greater DEF CON community. At the BTV, you'll find 
valuable information on defensive security from the very 
basic 101-level concepts through the latest, most advanced 
techniques we can get past NDAs. We also have contests, 

50 you can prove your skills іп securing systems – and 
perhaps even show some of those red teamers what’s what. 


WHS ASR, DEF CONR SEWER, 
ПРАВИ ЈЕ e HER. Min, ЖЕ 
Ж, ПЕЛЕ АЈА TP aMRA DRA, UR 
FRAT IT He A ЖЕНУ» Bia Фа IRURE RES Ба [6] 
ЖЛ. BURA AMARA, FAME 
Sib Mat, 5 ЖЕЛІНЕ, ftii] 
WAKE SRR. SOK, DEF CONRS 
ЛНР ае гу. 3x7 village 
ж ФРЕР СОМЕ ИЕ, т — T ES 
FIBA AI ЗЕ, SAS SEAR AY ИМЕНУ 
IRA, StF, FASS 


4£DEF CON (BTV) &ВІие Team Уаде 
EMRE AIR, FER ARIDEF CONE fe 
НЕ. ХЕВТУШ:, МБЕЕЖНУТОТ-ЈЕ ЖАНА ЗВАНЕ 


by simply spoofing the sensors. We will bring our hacking 
methods to the audience by breaking down the sensor 
devices, capturing and faking the biometric characteristics. 


ELMER Маде, f 8 SIS dE. 
HR. ДЕ. SKS RANA MRAM 
MILER, VAR RIAA Н eSB 89 73 A Tie HE 
Кеа, АПИЫН. ВИП 
ЖЕ. AL. ЛЕНІ, ЖІ 


SCERERÍE, LEX SEJÉDULBS 5215-92» 
СЕРЕ ЕЕТУШЕРАССГЕ 
Ballroom С 

KESCH 


VXRL is founded by a group of passionate security 
researchers and white-hat hackers in Hong Kong. Our 
team has deep expertise in software and hardware 
security, and we have hands-on domain knowledge 
in several vertical industries. Our mission is 10 make 
the cyberspace a safe place for the future. 


During the chip-off village, visitors shall have an opportunity 
to remove the embedded emmc chip from the devices 

and re-solder on the small circuit board. And our experts 

will demonstrate how to attack the loT/mobile devices to 
obtain privilege and gain access control as well as the data 
stored. We will also introduce some inexpensive JTAG/ 

ISP and chip-off equipments on-site and for your testing. 


VXRL GEER SEHR Да RERUE 
AMARA ARAM. (EAUX Га 
FRAT) ПЕТ, БАНАНЕ A 
-ЕШЕТАЛ ан, РЛЫ, GRE. OB 
AN на А АВИ RNA, ЗЕЕ Е 


ВИНО RFC HEAL АЕ SEIS SI ышты ЊЕ 
MEHRAATHMARSHENAIMEN Во 2 


At S EESE, 2. 
ЕЖ, БЕН ЕЖ ALLA RIA HIRES e 


BIOMETRICS 
IDENTIFICATION VILLAGE 
Ballroom C 
KESCH 

In biometrics 
identification 
village, you will 
learn how biometric 
identification 
technology works. 
Such technology 
includes fingerprint, 
iris, face, and vein recognition etc., You will also learn how 
to circumvent the authentications based on these biometrics 


EnRZERARBE EAN LAR а о 


PRESENTATION SCHEDULE 


FRIDAY ВЕЋ 


12:00 


13:00 


14:00 


15:00 


16:00 


17:00 


Welcome to DEF CON China 


The Dark Tangent 


Spreading malware with 
Google (Nice Quilombo) 


BMA: FAKES 
ERE (Nice Quilombo) 


Fabian Cuchietti & 
Gonzalo Sanchez 


You Logged Into My Account 


WAM: 
Daizibukaikou R-FAFA 


RET RAS, 


When Memory-Safe 


Languages Become Unsafe 


4AFREBERGRE 
Mingshen Sun #1228, 
кіз, & Dr. Wei Tao 3 


Lessons Learned from 
Five Years of Building 
Capture the Flag 


сл 


ЕСТЕ E Beas 


Vito Genovese 


Triton and Symbolic 
Execution on GDB 


Triton MF SHUT GDB Б 


Weibo Chen БИН 


Genera 
exploit Path Traversal 
Vulnera 


Лв 
if T 603 


ways to find and 


bilities on Android APPs 


са 


B3 i 
59) 


Xiaobo Xiang IS] ae 


Yulong Zhang 


SATURDAY ЈЕ НА 


10:00 


11:00 


12:00- 
12:20 


12:30- 
12:50 


13:00 


14:00 


15200) 


16:00 


17:00 


І>010)- 
21:00 


Keynote: Bugs Агеп' 1 Random: 


A Unified Perspective on 
Building and Breaking 

MATAR n] (8: 8 
де БЕТА — 41 A 


Dan Kaminsky 


Blasted to Bits: Mutilating 
Media in a Minute 


BUE: SRA SAIS 


Zoz 
Fooling Image Search Engine 


јаје SEIES 
Yuanjun Gong 5, Bin Liang 
ZW, & Jianjun Huang ЕЕ 


Transparent Malware 
Debugging on x86 and ARM 
X863HARMERBET AIS 
BERET 


Zhenyu Ning THR & 
Fengwei Zhang Sk #38 


From Memory Safety to 
Non-bypassable Security 


MARE SETA 
238: (NbSP) 


Dr. Wei (Lenx) Тао *53&1&-- 


Beyond Adversarial Learning 
— Data Scaling Attacks in 
Deep Learning Applications 


WARES >] НО ВОЉИ 
Kang Li 2B 


Security Research Over 
the Windows (kernel) 


Peter Hlavaty 

Smart Contract Hacking 
SiS E 
Konstantinos Karagiannis 


DEF CON Groups Panel 


Peter Wesley, Tielei Wang:E , 


Changsheng бао & &, Xinpeng Liux ТИЕ, 
Jun 2529, April C. Wright, & Jayson E. Street 


Live Music 


SUNDAY & BAA 


10:00 


11:00 


12:00- 
12:20 


12:30- 
11228810) 


13:00 


14:00 


From Dark Visitors to Valued 
Allies: The Evolution of the 
Hacker Community in Asia 
and Around the World! 


Желі: iti 
МАЛЕ RBS ERE РХ AE 


Jayson Е. Street 


= 


Hacking Intranet from 
Outside: Security Problems 
of Cross Origin Resource 
Sharing (CORS) 


Dr. Haixin Duan ЕНТ & 
Jianjun Chen ps se 


Passwords in the Air: 
Harvesting Wi-Fi Credentials 
from SmartCfg Provisioning 


БА EWI-FIgKIETzR: Bok 
SmartCfg7c 20 99 75 3e. 


Changyu Li zE38gj & 
Quanpu Cai #344) 


| Am Groot: Examining 
the Guardians of 
Windows 10 Security 
RES: Windows 
то ФР EBA 
Chuanda Ding ТЛВ 


Androsia: Securing 
'Data іп Process’ for 


your Android Apps 
Androsia : feiüEAndroidf Fr 
rh REE RARE’ == 


Samit Anwer 


Closing Talk 


ШИ 


PRESENTATIONS 


ANDROSIA: SECURING ‘РАТА IN 
PROCESS’ FOR YOUR ANDROID 
APPS 

ANDROSIA : 4RiEANDROID42 Fr 
EEE AM AGE <= 

Samit Anwer 


Each Android app runs in its own VM, with a limited 
heap size for creating new objects. The Android 05/ 
app doesn’t differentiate between regular objects and 
objects that contain security sensitive information. 
These critical objects are kept around in the heap 
until the OS hits а memory constraint. The 05 then 
chooses to invoke garbage collector in order to reclaim 
memory from the apps. Java does not provide explicit 
APIs to reclaim memory occupied by objects. This 
leaves a window of time where the security critical 
objects live in the memory and wait to һе garbage 
collected. During this window a compromise of the 
app can allow an attacker fo read the credentials. 
This is a needless risk every Android application 

lives with today. We propose a tool called Androsia, 
which performs a summary based interprocedural 
data flow analysis to determine the points in the 
program where security sensitive objects are last 
used (so that their content can be cleared). Androsia 
then performs bytecode transformation of the app 

to flush out the secrets resetting the objects to their 
default values. Attendees will learn: a) why java. 
security." APIs for destroying objects are not upto 

the mark?, b] the key terms used in data flow 
analysis with live examples and finally, c) how 
Androsia protects data in process of Android apps? 


= Android 02477 А CNET, 1 
БЕЛЛ ХЕ ЈАЧЕ AI e Н 03 ROUGE S e 

ty Android ЕТЕ 4332 EEG] RE SEL 
xis xm e SB. ute a tue 
БАНК IR ЕЗДЕРІ, ЕЕ! 
Апагоја ж EZ е, Ја ЕЛ] 
АМБ а FAA Ie ACA ЛЕЕ В. Java 
Ља BREAN RA. XX 
SRE ЕБ NERS EAGER РА 
(RINT, MEXR, RRR PR 
FAERIE рава. AB, MA 
Android Fr ah i ls ix SAE AY ЕУ о 
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Ви ЕН 7 — У 2 щАпагоѕіо LB, KHL 

OBSS LO ACRI Sus BNR 
RARE FRE Ја] CIE ZO 06 
ЕН) 2 ЕТ, AndrosiadoB EVE ЖЕГЕНІ 
TB, OSes ЈАНО М ЕЕ АН» 
Бети]: a)7fr4Ajava.security.*r 
KFA RAAP sii И Bik BIZ? b) 
ЖОЛТ АЕ KBAR. c) Androsia 
ze ИМА АЗРА појаве Fr Fh RAE? 


Samit Anwer is a Web/Mobile Application 
security researcher. Soon after completing his 
Master's degree from IIIT Delhi in Mobile and 
Ubiquitous Computing he joined Citrix R&D 
India as а Product Security researcher. 


He is actively involved with vulnerability research 
in popular Web/Mobile apps and has responsibly 
disclosed several security vulnerabilities with 
Google Cloud Print API, XSS filter evasion on IE 11/ 
MS Edge, code execution on Microsoft Windows 

10, Microsoft's OAuth 2.0 implementation 

and buffer overflows on MS Edge/IE 11. 


He is an active member of the Null Bangalore Chapter, 
IEEE community and has spoken on various security 
topics at BlackHat Asia Singapore (2018), AppSec USA, 
Orlando (2017), cOcOn X, Kerala (2017), CodeBlue, 
Tokyo (2017), and Null meets (2015, 2016, 2017) 


His technical interests lie in using static program 
analysis techniques 10 mitigate security and 
performance issues on mobile/web apps, breaking 
web/mobile apps, and researching on cutting edge 
authentication and authorization mechanisms. 

His publications сап be found here: https:// 
dblp.uni-trier.de/pers/hd/a/Anwer:Samit. 


Twitter: @samitanwerl 


Samit Anwer—{uWeb/Mobile# Fr RAHA 
Be, МУР ИТ Delhif§Mobile and Ubiquitous 
Computing4l, ElBifECitrix R&D |паје (ғ 
ные, Мауер/морпежјр 5 
HR. fixxES Googl, IE, Еадеж 
УИАТОНЈО 8, ЖЕМИ! Bangalore Chapter 
ЖЕЕЕ community, ###BlackHat Asia 
Singapore (2018), AppSec USA, Orlando 
(2017), cOcOn X, Kerala (2017), CodeBlue, 


Tokyo (2017), and Null meets (2015, 2016, 
2017) RRB. (HARA Ae ARSE 
4r AGE&SWeb/Mobilef В ze4 [5] Si , 

BBD ARID АЕ АК 1]: https://dblp. 

uni-trier.de/pers/hd/a/Anwer:Samit. 


TRITON AND SYMBOLIC 
EXECUTION ON GDB 


TRITON +59177 GDB Е 


Weibo Chen 
ЖИН 


| Introduce the concept of symbolic execution and 
Triton. (https://github.com/JonathanSalwan/ 
Triton). Detailed steps of how | design and develop 
SymGDB(https://github.com/SQLab/symgdb). | 

Will also explain the architecture design, what kind 

of problem | met, and how to debug when І develope 
SymGDB. At the end, compare the differences between 
Triton and other symbolic execution framework. 


fria RS BUT A EA Triton ЖЕЛЕ, ЕН 
ОЗЕ AISLE SymGDB(https://github.com/ 
SQLab/symgdb) AI, S43] 9a 25, 
EWE TABS ЖЕ, АЛМА А ABR 

WIS, ER, ШЕНИЕ, 


Weibo Chen, is Co-founder of NCTUCSC(hitps:// 
www.facebook.com/NCTUCSC/) and member of 
Bamboofox CTF team. Recently, he got his master 
degree from National Chiao Tung University. He 
focuses on symbolic execution and binary exploit. His 
passion is for security education and security research. 
He loves to share knowledge with other people. 


RN ZF ВИН (@bananaappletw) , В 
= 8 ЈАК, 61755 RH 
= (https://www.facebook.com/NCTUCSC/) 
, txt Bamboofox СТЕ team 6 91, d 
3k WA SQLab (http://sqlab.cs.nctu.edu. 
tw/) Ev, SEXES ES BT SERRA 
3B. RAKASALARARHRRER, 
yc BERT (https://bamboofox.github. 
io/) FINA 2 (https://bamboofox.cs.nctu. 
edu.tw/) НЕ, REKMARDS AiR. 


SPREADING MALWARE WITH 
GOOGLENICE QUILOMBO) 


Fabian Cuchietti 
Gonzalo Sanchez 


Google products have a good reputation and are 
synonymous with reasonably high and reliable 

levels of security. However, in this talk, Fabian and 
Gonzalo will focus to show а case of how Google Earth 
will be the vector attack to make an antimalware 
evasion by a technique of malware injection into 
memory, and evading the Google Earth sandbox. 


Three scopes will be covered during the conference: 
- Google Session Hijacking 

- Remote Code Execution (Remote Shell) 

- Javascript malware execution (Monero Mining) 


ҰН ЕЛЕР, ЗЕНА АА 
ТЕНІЗ ZR SUB 119) ЖАП CEXXCT 7A 
ri, FabiandüGonzalo3$ & rh JR zr А ИЕ 
БК ИД ТАЈНЕ КУ (SE FA AE SEK ET Dr ЕЕ 
To БИ 73 BG ЗОКИ о 
RAW RS P SUO: 


- Google Session Hijacking 


1% 


RE us) 


- Remote Code Execution (Remote Shell) 


- Javascript malware execution 
(Monero Minning) 


ен 
xe RAGHU (еһе) 
- Javascript tr x f fr (Мопего} 238) 


Fabian Cuchietti (Argentina 90) started in the 
security world at а very young age. Member of 

ihe Hall of Fame of companies such as Google, 
Facebook, Apple, Microsoft, Mozilla or Paypal. He 
was one of the first south american members of 
Synack's Red Team. Since 2015 he has been working 
as Red Team Member at Internet Security Auditors. 


Gonzalo Sanchez (Spain ‘81) is Red Team Leader 
in Internet Security Auditors and is manager of the 
hacking team of Madrid, Barcelona and Bogotá. 


Fabian and Gonzalo meet at ISEC Auditors and 
are working together building crazy big things. 


Fabian Cuchietti (A d). (718590) 
Лл See MK. вад 
=), Facebook, зд, BERI Sk 
ПЕВ А. Ва  Ебупаска И 8 Hg 
Нова У — 20158 ИЕ fib — 8107 
Vk ва ВАДЕ НЕК РО] ЕН Le. 


Gonzalo Sanchez (P83/EZF814E)PAZT Aleader 
алаа ені НЕЗ 

Нн, НЕР ЕЕ EA B P А. 
Fabian 5 Gonzalo[gSEC gd 5 (]— 
HELA MILA 


YOU LOGGED INTO 

MY ACCOUNT 

MAB: RET REB 
Daizibukaikou 

ATE 


This topic describes some ways for inducing victims 
to log into an attacker's account on the Internet, 
which can result in some vulnerabilities and attack 
scenarios.Meanwhile, this topic will also mention 
how to fix it.This kind of security risk is often 
overlooked, while it can provide important help for 
some use of vulnerabilities, even combining some 
of the low-risk vulnerabilities or features of CSRF, 
selfxss, OAuth, and 550, etc. to steal login credentials, 
bind third-party backdoors accounts, steal privacy, 
access others’ resources, conduct phishing attacks 
and implement fraudulent use of identity, etc. 


AWAIT AS жЕ LAS А ЕЈ 
та не HWA, ДАРА BS — В 
Was, Nts UNO УП [А] НИ 2 |] A. 
MRE MEERA BM, НЕН АЖ 
ШЕТІН ЕЕ ЕШ, ЕЕЕ 

csrf. selfxss, осшіһ. 55о)— ЈЕ festa Sich 
АГНЕ. ВЕ ја Ке WM 
ВЕЉА WEG. ARR. BASS. 
Network ІР: Daizibukaikou. Не is skillful in web 
security and once worked for Internet companies 
such as Sina, Nokia, Meituan, and Xiaomi on 


H 


ТШ 


information security. Не is currently working for 
Anifin as a security expert, and is responsible 
for the system and network security. 

WS: AFRO, Ж емер, f 

FAP ADR. Ыр. SAL АЛЖАН 
AAMNSERRELE. ЭМЕ ARR 
LER, WEBER. 


| AM GROOT: EXAMINING THE 
GUARDIANS OF WINDOWS 10 
SECURITY 

eth 1: WINDOWS 10 ize 
PEM 


Chuanda Ding 
Tencent Security Xuanwu Lab 


THA 


фаБЭле ЕН SAR 


Being one of the main targets of 3 
Pwn20wn competitions, Microsoft Windows 
10, along with Microsoft Edge, is proven 
more and more difficult to exploit. 


Now Windows 10 has heen released for more 
than 2 years, Microsoft has been constantly 
updating the security mitigations integrated 
with the operating system. After 5 major 
releases, multiple levels of protections have 
been added to prevent a programming error 
from turning into a full system compromise. 


You may have heard many of them marketed 
as “Guards” under the Windows Defender 
brand. But how do they actually work? 


As Pwn20wn participants (and winners), we closely 
watched Windows 10 security evolve over the years. 


In this talk, you will get a behind-the-scene 
view of Windows 10 security mitigation 
implementations, how it helped make attackers’ 
life harder, and how the attackers overcame it. 


{RAKES = ШРу/п2Оу/п3 3€ RS А 
dr, Windows 1024 Microsoft Edge 
БӘЙЛЕ FAS HE ЛЕНЕ RL To 
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3izeWindows 1082 223 T , TERK 
ЖАНТ НЕ АЛИВ ЈЕЛЕ 
ВУ, HIT SBA 
ЖЕТЕЛІ РВ поје BR FA BRIE TA о 
PRAT RET I 7 А AY SRE DE ЗАЛ ral RIAL 
xtWindows Defender dE e fe. 
(алеја Eze An fap T EAN? 
BANS APwn20Owns 5H (ЖАНЫ), X 
PRE Windows 10224 ELE B2b54X « 
EX VERE, ЖЕЖ R)Windows 1022 
PNRM, CUAL AHL 
(ЕЕЕ, AURA RI а ЊЕ о 


Chuanda Ding is a senior security researcher 
at Tencent Security Xuanwu Lab, conducting 
research on Windows security. 


He spoke at CanSecWest 2016, QCon 
Beijing 2016 and CanSecWest 2017. 


Twitter: @XuanwuLab 

TIA ЕН е ЕЗ SHS АН 
UA, б ММІпаоуу52 ФАИ 

а Сапзесмез 2016. QCon ALR 
2016 ЖСапзесуез! 2017383» 


HACKING INTRANET 

FROM OUSIDE 5 ЕВА Е 
PROBLEMS OF CROSS ORIGIN 
RESOURCE SHARING (CORS) 
Dr. Haixin Duan 


Professor, Institute for Network Science and 
Cyberspace, Tsinghua University 


Jianjun Chen 
PhD students Tsinghua University 


5411 

MUSROFCENAEC AUD 

каж 

зет LE 

The default Same Origin Policy essentially restricts 
access of cross-origin network resources to be 
“write-only”. However, many web applications require 
“read” access to contents from a different origin, so 
developers have come up with workarounds, such 

as JSON-P to bypass the default Same Origin Policy 
restriction. Such ad-hoc workarounds leave a number 
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of inherent security issues. CORS (cross-origin resource 
sharing) is a more disciplined mechanism supported 
by all web browsers to handle cross-origin network 
accesses. In this talk we present our empirical study 
about the real-world uses of CORS. We find that the 
design, implementation, and deployment of CORS are 
subject to a number of new security issues: 1) CORS 
relaxes the cross-origin “write” privilege in a number 
of subtle ways that are problematic in practice; 2) 
CORS brings new forms of risky trust dependencies 
into web interactions; 3) CORS is generally not 

well understood by developers, possibly due to 

its inexpressive policy and its complex and subtle 
interactions with other web mechanisms, leading 

to various misconfigurations. Finally, we propose 
protocol simplifications and clarifications to mitigate 
the security problems uncovered in our study. 


ве ИВ, мери ја је (Same 
Origin Policy) BR il 7 BIA MIZE 1010]. 24 
fj, НА MEAS B S SEYT ER RY AH las 
NUR. РАЈЕ СОК (Cross-Origin 
Resource Sharing) BARRE 38 5 [8] И) 
RALMNAR, 18482) 7 BUE ЕЈ ДОЗ 
Sg. ЖАП, ВИПАЗАСОКЗУИЈ БЕЗ SWM 
BAN НАМЕЊЕН 5 јај, ARATA 
ВА ЗН ОСОР Br 4 B] ИЕ ЕЗ, 
Вла АЈ ДА FRCORSS Ze 5l] AE 
TED Jc cd PS РО] — ІНЕ 95. RUF ZZ BUS RT RI 


his research results were deployed by industries like 
Baidu, and published in top security conferences like 
Security & Privacy, USENIX Security, CCS and NDSS. 


Jianjun Chen is a PhD student at Tsinghua University 
supervised by Prof. Haixin Duan. In 2015, he visited 
UC Berkeley under the direction of Prof. Vern Paxson. 
Currently he has published three papers on top 
security conferences(NDSS, CCS, IEEE S&P). Among 
them, the NDSS paper on CDN forwarding loop 
attacks has won the conference's “Distinguished 
Paper Award". It is the first time that a Chinese 
scholar wins this award as the first author in top 
security conferences. His research work are not only 
recognized by the academic community, but also help 
many well-known industrial companies(eg. AKamai, 
Cloudflare, Tencent) and open-source software(eg. 
Squid) to fix multiple severe vulnerabilities. 
BUSA НА BEA MAHA, 
и јаја Бива EE. ИЕМ ЕЕ 
ЖИЯ. AS42025, IRHBRUSTZLISIS ENTER 
TEMERE. Maem, WATS. fth 
IVES ARAL AR Az AR ал ЕЕ ас Pp TRA 
RAW (Security&Privacy. CCS. USENIX 
Security, NDSS2&) , 3NDSS20162E7R Wit 
MR, ЧӘ А ИЕ 2 “MB RERBA 
A” Ro MARA MSR ИВА, MIS 
зе "InForsec" ё Л. 


jin. X 


HICSRF А RO DUE Do] BURA Cookie fa 
ағ. ШК, XRÁTRXIAlex HES AIRS PIF 
SAE T ARUBA ME, З СОКУ 


БЕ, WEARS MAMARELMAE, 5 
ЈЕНЕ de. FB Мет Paxson 251 
WASBerkeley iA. EBM SM 


ЖЕЛІМІ, 106 ЕЛ АЖ AX 


уде 27.5 И КЕ = У, Rh 
та ли, fedex.com, washingtonpost.com 


VRB AA BA MaRS |38. Вија, Bee 


Security&Privacy. CCS#INDSS EZ R= BS 
FRIES, FEIANDSS201675 16%. АЗ. 


CORSAYI ИЕ MAB НЕ Н ТН ЕЛДЕН А о 


Dr. Haixin Duan is a professor at the Institute for 
Network Science and Cyberspace, Tsinghua University. 
He was once a visiting scholar at UC Berkeley and 

a senior scientist in International Computer Science 
Institute(ICSI). Dr. Duan has been working on network 
security for more than 20 years. His recent research 
interests include protocol security, intrusion detection, 
underground economy defection and екс. Some of 


MURS ГРИН АЈ, БВА 
КАВМИ (дАкатаі. CloudFlare. BS 
$5) MARE (Squid }) 4g& T esl» 


LESSONS LEARNED FROM 
FIVE YEARS OF BUILDING 
CAPTURE THE FLAG 

БФ EECTF E BS 2% 

Vito Genovese 


Members Legitimate Business Syndicate 
Legitimate BusinessSyndicate = Fa 


Capture the Flag is the ultimate test of hacker skill, 
and DEF CON is the oldest and most prestigious CTF 
venue. After five years running DEF CON CTF with 
Legitimate Business Syndicate, our journey running 
this series of games has come to a close, but what 
remain are the lessons we learned along the way. 


This presentation will cover topics about all 
aspects of СТЕ organization: the history of CTF, 
building a cross-functional organizing team that 
sticks together year after year, developing a 
game infrastructure that handles the onslaught of 
attacks from players, and the stories behind some 
of the most difficult CTF challenges ever built. 
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Vito Genovese is a founding member of Legitimate 
Business Syndicate, organizers of DEF CON Capture 
the Flag from 2013 to 2017. Vito’s work included 
building infrastructure for distributed software 
development, designing and building both cloud- 
based and on-site scoring systems for CTF, visual 
design and branding of competition materials, 
picking fonts, sourcing coffee and other beverages, 
and writing public material for the Legitimate 
Business Syndicate blog and Twitter accounts. 


legitbs.net/ 
Twitter: Gvito bs 
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FOOLING IMAGE SEARCH 
ENGINE 
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Yuanjun Gong 
SRA 

Bin Liang 
RG 

Jianjun Huang 
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Our work brings to light that Content-Based Image 
Retrieval (CBIR) systems, which are commonly used 
in image search engines, can he potential attack 
targets of adversaries. In this work, we present the 
threat model of evading the CBIRs. Specifically, we 
focus our work on the SIFT/SURF based CBIRs and 
propose several algorithms for removing/injecting 
the key points in images to bypass the algorithms. 
We apply the RMD algorithm and our algorithm to 
remove the SIFT and SURF key points respectively. 
Moreover, we inject SIFT key points into images 
with our IMD algorithm (inverting the operation 
of RMD) or surround an image with a frame filled 
with ‘basic bricks’. We evaluate the algorithms on 
an image indexing engine Visuallndex with three 
strategies: removal only, injection only and hybrid. 
The experimental results show the effectiveness 

of bypassing the engine. With the algorithms 

and strategies, we succeed in evading Google 
Image Search Engine, which can be considered as 
a black-box CBIR system, while the utility of the 
image is preserved. We also demo the possibility 
of source/target attack. To conclude, our work 
proves the existence of threats to CBIR systems 
and demonstrates that industrial-level Image 
Search Engines, such as Google Image Search, are 
prone to be attacked with adversarial images. 
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Yuanjun Gong is an undergraduate student at Rennin 
University of China, majoring in Information Security. 
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Bin Liang received the Ph.D. degree in Computer 
Science from Institute of Software, Chinese Academy 
of Sciences. He is currently a Professor at School 

of Information, Renmin University of China. His 
research interests focus on program analysis, 
vulnerability detection, and Web security. 


Jianjun Huang received the Ph.D. degree in 
Computer Science from Purdue University. He 

is currently an Assistant Professor in Renmin 
University of China. He is now focusing on detecting 
vulnerability in destktop/mobile/Web applications. 
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SECURITY RESEARCH OVER 
THE WINDOWS (KERNEL) 
Peter Hlavaty 


Senior Security Researcher at Keenlabs Tencent 


Past several years Microsoft Windows undergo lot of 
fundamental security changes. Where one can argue 
still imperfect and bound to tons of legacy issues, on 
the other hand those changes made important shifts 
in attacker perspective. From tightened sandboxing, 
restricting attack surface, introducing mitigations, 

applying virtualization up to stronger focus even on 
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win32k. In our talk we will go trough those changes, 
how it affects us and how we tackle them from 
choosing targets, finding bugs up to exploitation 
primitives we are using. While also empathize that 
windows research is not only about sandbox, and 
there are many more interesting target to look for. 
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Peter ( @zerOmem | is Senior Security Researcher 

at KeenLab, Tencent. Focusing mainly on sandbox 
escapes on windows platform, virtualization, and 
mitigation bypasses. Pwn20wn 2016..2017 winner, 
frequent speaker at software security conferences 

like recon, bluehat, zeronights, syscan, and others. 


Twitter: @zerOmem 
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BUGS AREN'T RANDOM: A 
UNIFIED PERSPECTIVE ON 
BUILDING AND BREAKING 
ЗЕ 8: ЕУ TUAE 
— A 

Dan Kaminsky 


Chief Scientist. White Ops 
White Ops 223 


It can take looking at a few thousand bugs, but 
eventually hacking feels like getting really good 
at telling the same joke, over and over again. 
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It's ОК, the computer still laughs, but why isn't 
software engineering delivering the reliability and 
predictability of other engineering disciplines? 


That's a question with an answer. It’s not an easy 
answer, like “devs are lazy" or "tools are bad". 
Who are hackers to complain about either? But 
it's an answer | intend to explore, in true hacker 
fashion, by seeing traditional boundaries as mostly 
false, but useful for identifying what to fuzz. 


Why should we separate the humans that write 
bugs, from the tools the tools they use? Humans 
write tools. Why these tools in particular? 


Why would we separate forward and reverse 
engineering, dev from test? Wait, are those the 
same thing? Does any other field isolate the 
creator from the consequences of their creation? 


Is this going to be just some fluffy exploratory 
keynote? No, this is way too long a flight for 
that. We're going to talk about where | think 
software and hardware architecture is going to 
go, with actual code you're welcome to try to 
break. I'll tell you exactly where to look. 


Should be fun. 
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Dan Kaminsky has been hacking professionally 
for almost twenty years. A well known speaker at 
conferences such as Black Hat and Defcon, Dan is 
ihe Co-Founder and Chief Scientist of White Ops, 
and is one of seven Recovery Key Shareholders 

for the Internei's Domain Name System. Dan's 
research spans a wide variety of topics, but he gets 
ihe coolest emails from kids who use his iPhone app 
to correct their color blindness. It's called DanKam, 
because of course it is, and he's telling you this so 
he has to get it back on the iPhone store already. 


Twitter: 
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SMART CONTRACT HACKING 


Konst 


antinos Karagiannis 


СТ0- Security Consulting, BT Americas 


Smart contract hacking always makes headlines. 
Typical incidents can cost millions or even hundreds 
of millions in losses. And the problem doesn't 
seem 10 he going away. Recent independent scans 
show 34,200 vulnerable smart contracts lurking 
on the Ethereum blockchain. It’s time to help these 
developers secure their code and foster a new 
generation of hardened SDLC practices. Ethereum 
has fantastic Turing-complete functions awaiting 
our use, and Solidity smart contracts are a crucial 
way that the Enterprise Ethereum Alliance, Quorum, 
and other entities plan on moving to Web 3.0. 
Ethical hacking of all this new code is a necessary 
service and excellent way 10 cash in (ethically). 


Join Konstantinos for a look at a Solidity hacking 
methodology that can be applied right away, 
including the latest open source tools. 
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In this presentation the speaker will demonstrate 
attacks that target the data scaling process in 
popular deep learning examples. By carefully 
crafting input data that mismatches with the 

scales used by deep learning models, the speaker 
will show how an attacker can successfully evade 
image classification even when applications use 
well-trained deep learning models. The speaker will 
also present a few potential defending strategies 
їо detect or mitigate such data-flow attacks. 
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Konstantinos Karagiannis is the Chief Technology 
Officer for Security Consulting at BT Americas. 

In addition їо guiding the technical direction 

of ethical hacking and security engagements, 
Konstantinos specializes in hacking financial 
applications, induding smart contracts and other 
blockchain implementations. He has spoken 

at dozens of technical conferences around the 
world, including DEFCON, Black Hat Europe, 

RSA, and ISF World Security Congress. 


Twitter: @konstanthacker 


Konstantinos Karagiannis (А |) 292% 
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Kang Li is a professor of computer science and the 
director of the Institute for Cybersecurity and Privacy 
at the University of Georgia. His research results have 
been published at academic venues, such as IEEE S&P, 
ACM CCS and NDSS, as well as industrial conferences, 
such as BlackHat, SyScan, and ShmooCon. Dr. Kang 

Li is the founder and mentor of multiple СТЕ security 
teams, including SecDawg and Blue-Lotus. He is also 
a founder and player of the Team Disekt, a finalist 
team in the 2016 DARPA Cyber Grand Challenge. 
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BEYOND ADVERSARIAL 
LEARNING: DATA SCALING 
ATTACKS IN DEEP LEARNING 
APPLICATIONS 
WREF IRR SR 
Kang Li 


Director, Institute for Cybersecurity and Privacy. 
University of Georgia 
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PASSWORDS IN THE 

AIR: HARVESTING WI- 

FI CREDENTIALS FROM 
SMARTCFG PROVISIONING 
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Smart devices without an interactive Ul (e.g., а 

smart bulb) typically rely on specific provisioning 
schemes to connect 10 wireless networks. Among 

all the provisioning schemes, SmartCfg is a popular 
technology to configure the connection between smart 
devices and wireless routers. Although the SmartCfg 
technology facilitates the Wi-Fi configuration, existing 
solutions seldom take into serious consideration the 
protection of credentials and therefore introduce 
security threats against Wi-Fi credentials. 


We conduct а security analysis against eight SmartCfg 
based Wi-Fi provisioning solutions designed by 
different wireless module manufacturers. Our analysis 
demonstrates that six manufacturers provide flawed 
SmartCfg implementations that directly lead to 

the exposure of Wi-Fi credentials: attackers could 
exploit these flaws fo obtain important credentials 
without any substantial efforts on brute-force 
password cracking. Furthermore, we keep track of 
the smart devices that adopt such Wi-Fi provisioning 
solutions to investigate the influence of the security 
flaws on real world products. Through reversely 
analyzing the corresponding apps of those smart 
devices we conclude that the flawed SmartCfg 
implementations constitute a wide potential impact 
on the security of smart home ecosystems. 
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Changyu Li graduated from Xidian University with 
the major of Information Security. After graduated, 
he continues studying at Shanghai Jiao Tong 
University, focusing on software security. He is 

now a member of Lab of Cryptology and Computer 
Security (LoCCS). He takes an interest in the security 
and privacy of Internet of Things; especially, 

smart home. Also, he is a big fan of CTF games. 


Quanpu Cai, a undergraduate student at Shanghai 
Јао Tong University with the major of Cyber Security, 
now as a member of Lab of Cryptology and Computer 
Security (LoCCS). His interest covers а large span 

of security, induding reversing and exploiting, 
mainly related to the area of Internet of Things. 
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TRANSPARENT-MALWARE 
DEBUGGING ON X86 AND ARM 
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Zhenyu Ning 

Ph.D. candidates llayne State University 
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Fengwei Zhang 

Assistant Professor, Wayne State University 
ЕЕ 

БЕН ҚР ТЕ ОТЕ aE 

With the rapid proliferation of malware attacks on 
the Internet, understanding these malicious behaviors 
plays a critical role in crafting effective defense. 
Existing malware analysis platforms leave detectable 
fingerprints like uncommon string properties in QEMU, 
signatures in Linux kernel profiles|!and artifacts on 
basic instruction execution semantics. Since these 
fingerprints provide the malware a chance to split its 
behavior depending on whether the analysis system 
is present or not, existing analysis systems are not 
sufficient to analyze the sophisticated malware. In 
this talk, we present the framework for transparent 
malware analysis, which leverages the hardware 
features in existing PC and mobile devices to increase 
the transparency of malware analysis. In particular, 
we introduce MalT on the x86 architecture and 

Ninja on the ARM architecture. MalT uses the system 
management mode as the execution environment 
and performance monitor unit as hardware assistant 
іо facilitate the analysis, whereas Ninja involves the 
TrustZone technology and embedded trace macrocell 
to improve the transparency. Moreover, both MalT and 
Ninja are OS-agnostic, and do not require modification 
to the operation system or the target application. 
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Zhenyu Ning is a Ph.D. candidate with the 
Computer Science Department at Wayne State 
University. He received his master degree in 
computer science from Tongji University in 
2011. His research interests are in the areas of 
hardware-assisted system security, embedded 
systems, and trusted execution environments. 


Twitter: @Hackin9 


Fengwei Zhang is an Assistant Professor with the 
Computer Science Department at Wayne State 
University. He received his Ph.D. degree in computer 
science from George Mason University in 2015. His 
research interests are in the areas of systems security, 
with а focus on trustworthy execution, transparent 
malware debugging, transportation security, and 
plausible deniability encryption. He is a recipient 

of the Distinguished Paper Award in ACSAC 2017. 


From Dark Visitors їо Valued Allies: The Evolution of 
the Hacker Community in Asia and Around the World! 
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FROM DARK VISITORS 

TO VALUEDALLIES: THE 
EVOLUTION OF THE HACKER 
COMMUNITY IN ASIA AND 
AROUND THE WORLD! 
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Jayson Е. Street 


Jayson E. Street will take the attendees on a journey 
through time and around the world. Exploring 

one of the most difficult questions that faces our 
community. What is а Hacker? He'll focus on 
famous Chinese hackers throughout history and 
how we all connect through a global community. 

Be prepared to have your beliefs challenged 

and hopefully some questions answered. 


Jayson Е. Street is an author of the “Dissecting 

the hack: Series”. Also the DEF CON Groups Global 
Ambassador. Plus the VP of InfoSec for SphereNY. 

He has also spoken at DEF CON, DerbyCon, GRRCon 
and at several other ‘CONs and colleges on a variety 
of Information Security subjects. “He was a highly 
carbonated speaker who has partaken of Pizza from 
Beijing to Brazil. He does not expect anybody to still 
be reading this far but if they are please note he was 
chosen as one of Time’s persons of the year for 2006. 


Twitter: @jaysonstreet 
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WHEN MEMORY-SAFE 
LANGUAGES BECOME UNSAFE 
4NFREREFBEZE 

Mingshen Sun 


PAH 


Researcher, Baidu X-Lab 


Yulong Zhang 
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Senior Staff Security Scientists Baidu Х- (аб 
Dr- Wei Tao 

БАЈЕ 


Chief Security Scientist. Baidu 


Fatal bugs introduced by non-memory-safe 
languages (C/C++/etc.) are one of the oldest 

yet persistent problems in computer security. To 
alleviate this issue, there has been an emerging 
irend fo re-implement programs using memory-safe 
languages (Rust/Go/Swift/etc.). By using such 
languages, developers usually have an illusion 

that they have obtained 100% guarantees of type 
soundness, memory-safety, and thread safety. 


However, through our assessment of a wide range of 
open-source projects, we found that this assumption 
is not correct and sometimes can lead to dangerous 
consequences. We collected and analyzed more 

than 10,000 Rust programs. All of these programs 
rely оп libc, and at least 25% depend on extra 
unsafe C/C++ libraries. These libraries break Rust’s 
memory-safety promise and also expose users 10 
great threats. Unfortunately, the inclusion of С/С++ 
libraries are agnostic to developers, leaving the issue 
unnoticed. What's more, some of the C/C++ libraries 
are statically linked. This leads to fragmentation and 
makes it challenging to carry out a scalable patching. 


Even if а program is fully developed using memory- 


safe languages, memory security issues can still occur. 


Rust allows developers to write unsafe code using 

"unsafe" keyword, but some libraries wrap unsafe 
code and re-export as “safe” functions. If developers 
use these “safe” functions, they are not aware of the 
unsafety introduced by these libraries. Moreover, we 
will show that some of the memory-safe languages 
fail to zero-out memory regions on object destruction, 
which can lead to secret memory leakages. 


To illustrate the real-world threats, we will provide 

a few detailed case studies and live demos where 
programs developed by memory-safe languages can 
still be exploited via memory bugs. Finally, we will 
offer suggestions and provide tools for developers/ 
users fo achieve a sustainable ecosystem. 


JARRE WEIS (С Ce S) HF 
RA Bap BUE БЕЛЕ ЊЕ РЕНЕ. ЖКА 
Ке јаја MFHT fe ЕН (8 
Ж Rust. Со. Swift $$) Аже ЖЕН НЕ 
Wis. GRAAL ЕН ЕН 5248 
Н: WARE AX E m ЕРЕ ВЕ 
00% НЕ. AGLAW RABE. 
(Ба ВАЈАРА A БВ, FEAT 
ВЕБ је. ЭПИ ЕН 7 10,000 + 
ЕН Rust 4 S; BUE RE. 8121 LS FI ЕЈ 
Rust Ере ИА Пос ЈЕ, #82 2576 AY Rust 
ЕНЕ C/C++ AF. ЕРЕ T Rus 
WAGES, RES 
SNe, FRAPS ADHERE 
EE, О И ЈЕ RZ, ІК 
ПЕВА ЕНЕН) C/C++ ENG, BERT РЕ 
(BOSE И, PANU BHR Api. 


HSH, Ис Е 
A. пе. ШП, Rust tyr 
Rae "unsafe" аруз 
ҚОШАН 88 АОВ 0). (Ве, —He 
iu “unsafe” (AS, нос ЕН “ 
RS” НОВИ АЕН Eft 
He “RE” ARBRE AI “SEA 
92%” KBE, ТУро 
AT TBS, ВАН ЕД ЛЕВЕ 

15]. ЕЛЕНЕ НР ЕҚБ, Be 
Мазі. ТА ЕЕ ІНІ 
ЖЕ, ВИЛЕН ete НИЈЕ ЕЕЕ 
М, ЖАВ АІ НА јл. 
Mingshen Sun is а senior security researcher of Baidu 
X-Lab at Baidu USA. He received his Ph.D. degree 
from The Chinese University of Hong Kong. His 
interests lie in solving real-world security problems 
related to system, mobile, 107 devices and cars. Не 
maintains and actively contributes to the MesaLock 
Linux project, а memory-safe Linux distribution. 


Twitter: @MingshenSun 
https://mssun.me 


Dr. Wei (Lenx) Tao is the Chief Security Scientist at 
Baidu, and Adjunct Professor at Peking University. 
He was also a co-organizer of the BitBlaze Group 

in UC Berkeley. His research interest lies in security 
architecture, programming languages and machine 


25 


IL 


E 


PRESENTATIONS 


learning. Beside defending Baidu against various 
kinds of attacks, he also initiates, directs and 
promotes several important open-source security 
projects of Baidu, such as MesaLock Linux (a memory- 
safe Linux distribution), Rust SGX SDK, OpenRASP, eic. 
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=) Linux 27th) НЕР. Twitter: 
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FROM MEMORY SAFETY TO 
NON-BYPASSABLE SECURITY 
ee ad 85, 


Dr. Wei (Lenx) Tao 

Chief Security Scientist at Baidu. and Adjunct 
Professor at Peking University 

Sie 
БЕНЕН RAR 


Security researchers and engineers have worked 

hard for decades to protect software written in 
memory unsafe languages like C or C++, but real 
world exploits show that all currently deployed 
protections can be defeated. Therefore, memory safe 
programming languages like Rust or Go get more and 
more attention. However, there is still a significant gap 
between memory safety and formal verification – i.e. 


26 


memory safety cannot guarantee that your software is 
vulnerability-free, and formal verification for general 
software is still too complex to be adopted widely. 


In this talk, we propose Non-bypassable Security 
Paradigm (NbSP), which bridges memory safety and 
formal verification. The “Non-bypassable” property 
was introduced by MILS (Multiple Independent 
Levels of Security/Safety) and it requires that one 
component cannot use another communication 
path, including lower level mechanisms to bypass 
the security monitor. NbSP combines program 
analysis and specifications to ensure that critical 
check points are non-bypassable. In this way, 

NbSP reduces attack surfaces significantly, and 
makes it practical for either detailed manual 
inspection or further formal verification of 
authentication, authorization and auditing. 
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Dr. Wei (Lenx) Tao is the Chief Security Scientist at 
Baidu, and Adjunct Professor at Peking University. 
He was also a co-organizer of the BitBlaze Group 
in UC Berkeley. His research interest lies in security 
architecture, programming languages and machine 
learning. Beside defending Baidu against various 
kinds of attacks, he also initiates, directs and 
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promotes several important open-source security 
projects of Baidu, such as MesaLock Linux (a memory- 
safe Linux distribution), Rust SGX SDK, OpenRASP екс. 
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GENERAL WAYS TO FIND AND 
EXPLOIT PATH TRAVERSAL 
VULNERABILITIES ON 
ANDROID APPS 
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Xiaobo Xiang (Elphet) 
11/08 (Elphet) 


Directory traversal vulnerabilities are very common 

in Android applications. This is also a place that 
developers ignore easily. Directory traversal 
vulnerabilities are also very harmful because it can 
break the application sandbox mechanism of Android. 


ERE 


In this paper, we will introduce the research of 
directory traversal vulnerabilities on the Android 
platform. from the aspects of what it is, how to find 
them, what they will cause and how to exploit them. 
We will explain these contents in a practical way. 
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Хаоһо Xiang (Elphet) is a security researcher of 
360 Alpha Team. He has submitted multiple bugs 
to Google and several other vendors in China. 
He is a Doctor Candidate in University of Chinese 
Academy of Sciences (UCAS), who mainly focuses 
on Android vulnerability reseach. In his spare time, 
he is keen on participating CTF games as a pwner 
in the CTF team Мезе (aka Never Stop Exploiting), 
which is a well-known separate СТЕ team in China. 


Twitter: @b0b0505 
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Governments and large organizations all know 
the importance of destroying retired physical data 
storage units: the waste stream has the potential 
to be а major leak of security-relevant information, 
to competitors, criminal syndicates and the public. 
Hackers have long appreciated the insights to be 
gleaned through trashing! But the volumes of 
data stored today make this process difficult to 
accomplish instantaneously, and data in the wrong 
hands is money – or your freedom. If you manage 
data that might be at risk of physical attack by 
untouchable agents, could there be a way to ensure 
its physical destruction in under 60 seconds at 
the flip of a switch? In this research | investigate 
multiple paths to forensic-resistant elimination of 
physical media via thermal, kinetic and high voltage 
methods. Both magnetic and flash storage devices 
are investigated, requiring the development of 
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new techniques for high explosives manufacture, 
delivery and encapsulation, including the use of 
3D printing. Surprising results will be presented. 
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Тол is a robotics engineer, rapid prototyping specialist 
and lifelong enthusiast of the pyrotechnic arts. Once 
he learned you could use a flamethrower and a coffee 
creamer bomb to fake a crop circle for TV he realized 
there are really no limits to creative destruction. 
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Have you ever felt frustrated that the super cool 
DEFCON only happen once a year in Las Vegas? 
Visa, flights, time, language, distance are all 
possible reasons that prevent you from enjoying 
DEFCON. Well, thanks to DEF CON groups, you're 
able to carry the spirit of DEF CON with you year 
round, and with local people, transcending borders, 
languages, and anything else that may separate 


us! Most importantly, local DEFCON Groups are the 
platforms to unite us all to achieve causes, to inspire 
others, regardless of their background, race. 


In this talk, you'll hear from DEF CON's founder Dark 
Tangent, the Ambassador of DEF CON groups Jayson E. 
Street, DEFCON GROUP 010 founder Jun Li who is also 
moderating the panel, DEFCON GROUP 617 founder 
April C. Wright, DEFCON GROUP 86021 founder 

Tielei Wang, DEFCON GROUP 86755 founder Peter 
Wesley, DEFCON GROUP 0571 founder Changsheng 
бао, DEFCON GROUP 0531 founder Xingpeng Liu . 
They will first discuss what is hacking, the spirit of 
hackers, what are the differences between different 
hacker communities, what interesting experiences 
can different groups learn from each other, then 

they will discuss how hacker spirit is contributing to 
the society in good ways, discuss how to cultivate 

the next generation of security professionals (aka 
hackers), finally they will talk about some future 
projects they might be able to cooperate on, for 
example go to the remote areas to inspire kid to 
learn and use technology to change the world. 


Founders of their own local DEF CON groups will 
also discuss the awesome projects of their groups, 
as well as projects from other groups, fo give 
ideas to take back fo your own DEF CON group. 
Projects we'll discuss range from custom badge 
build, loT devices, vintage gaming systems, custom 
built routers, smarthome devices and more! 
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Wright, DEFCON GROUP 86021 ӘДЕ 
=. DEFCON GROUP 86755 ФА Peter 
Wesley. DEFCON GROUP 0571 Зе A 
E. DEFCON GROUP 0531 ## A ЗЕТЕ ЈЕ 
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Peter Wesley is a security researcher based in 
Shenzhen, China, where he runs a consultancy 
specializing in product security services. He 

has over 20 years experience in IT security, 
predominately in the Finance and Telecommunications 
industries, and has previously worked for 

Huawei Technologies in China, and NBN Co and 
Hacklabs in Australia. Peter is the organizer of 

the 086755, the DEFCON group in Shenzhen. 


Теје! Wang is а member of Team Pangu. Не was 

a research scientist at the Georgia Institute of 
Technology from 2012 to 2014 and received his 
Ph.D. degree in 2011. His research interests include 
system security, software security, and mobile 
security. He discovered а number of zero-day 
vulnerabilities and won the Secunia Most Valued 
Contributor Award in 2011. He has published many 
papers in top research conferences including IEEE 
Security and Privacy, USENIX Security, ACM CCS, and 
NDSS, and gave several presentations at BlackHat 
USA, CanSecWest, POC, and RUXCON. He is the POC 
of DC86021, the DEFCON group in Shanghai. 


Changsheng Gao (aka Fuhei) is an enthusiast 
of Web security, he is one of the leaders of 
Whitecap 100 security team, leader of CTF team 
МЕР He is also the POC of DEFCON GROUP 
0571, the DEFCON group in Hangzhou. 


Xinpeng Liu is a security researcher from 
EversecLab, he is focused on web security, botnet 
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tracking and malware analysis. He is speaker 
of DEFCON GROUP 010. He is the POC of 
DC0531, the DEFCON group in Jinan. 


Jun Li is a security researcher at UnicornTeam in the 
Radio Security Research Department of 360 Security 
Technology. He is interested in hardware security, 
connected car security, wirelfess security. He presented 
his research ahout wireless hacking and car hacking at 
Blackhat, DEFCON, HITB, CanSecWest, Syscan360, etc. 
He is the author of three books, — «zc tr xb AH 
M» . (BASRA . «Inside Radio: 
An Attack and Defense Guide? , He is member of 
DEFCON GROUPS GLOBAL ADVISORY BOARD, the 

POC of 0С010, the first DEFCON group in China. 


April C. Wright (@AprilWright) is a hacker, author, 
teacher, and community leader with over 25 years 

of breaking, making, fixing, and defending critical 
global connections. She has held roles on offensive, 
defensive, operational, and development teams. A 
security risk specialist for a Fortune 15 company, 
April has been a speaker and contributor at numerous 
security conferences, and for US Government and 
industry organizations such as OWASP and ISSA. She 
has started multiple small businesses including a 
non-profit, fulfills the role of Signaler for the DEFCON 
Groups Core Team, and co-founded Boston 0С617. 


Jayson Е. Street is an author of the “Dissecting 
the hack: Series”. Also the DEF CON Groups Global 
Ambassador. Plus the VP of InfoSec for SphereNY. 
He has also spoken at DEF CON, DerbyCon, 
GRRCon and at several other ‘CONs and colleges 
on a variety of Information Security subjects. 


“He was a highly carbonated speaker who has 
partaken of Pizza from Beijing to Brazil. He 
does not expect anybody to still be reading this 
far but if they are please note he was chosen as 
one of Time's persons of the year for 2006. 
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THANK YOU! 


| want to thank everyone who has supported DEF CON China[Beta]. It takes a lot of 
people to pull off a conference, and a lot of stress to do it in short order. 


Thank you to Zhang Yagin and Ма Jie from Baidu for their long term vision to bring DEF CON to China and Casper and Alisa from 
XFuture for making the introductions and encouraging us to take the leap. Without those four people we wouldn't be here. 


Thank you to the speakers, trainers, villages, demo labs, and contest organizers who took this first step with us. 
Many didn’t know what to expect and so we all had this adventure together. Cool! Thank you for that 


Thank you to the DEF CON staff, Nikita, Neil, Darington, Cayce, Will, Charel, and Janet for helping make this happen. 
Zant from Villages, Tottenkoph from Workshops, Kampf from Entertainment, and the entire CFP Review Team. 


| want to thank Shen Pengfei, Liu Ye, Tony and Ma Meng from Baidu Security. Thank you to 
Zhang Jin from XFuture. Also, thank you to our music director Sun Yi Gang. 


Thank you to the community supporters, sponsors and press who helped spread 
the word of our conference and took a risk on us our first year. 


Finally | want to thank you, the human, for trying something new and getting involved over this weekend. 
We plan to return in 2019, no longer in [Beta] but ready for a v1.0 release! 


The Dark Tangent 


FAG BUNT SCSEDEF CON FNS HAL. EMMA M — д 
MD BALAN AIL, ВЕРАН 2) • 


НЕЗ ТИ ARREARS. PRCA RCD BABAFEDEF CON SIP EDK. 18, 
ЕЕК ОЕ З Де, PAAR RAO, BURST. 


RAMAN RHA, RISA, villages, RRLESRERVEDAQ 
ARE Ke T 98 —2b, SIT АЕ AAA ВА! ТИМ» 


BR, DEF CON {ЕА R: Nikita, Мей, Darington, Cayce, Will, Charel Лопе ӨЛ 
IMAGE. Villages апі, Hi е Тойепкорһ, ЗЕ Катрі 2 4ЖСЕРІЗНЕ Е. 


SON ES зе ДАЕ К, ХІН, БЕІН; ЖЖ eS СЕНИН БОНИ e 
БОЙЫ НО Sc Врла, ЛЕ RAS ETE A cs ЧЛЕН ВИ а Ре ВИ ла BAW, ФЕР ВИП а, 
ја, УЯТ: т, БАЊЕ ЕТАН ЈЕ Ж • 
FUTit 2019 E3R 8], SUv1.0 ЗЕ 
The Dark Tangent 


29) 


KUNTAI НОТІ 


LOOR 


со [|n Kg за ME] SU) = OP Kg НІШ 


z 
B 
5 
ЕЈ 


3rd FLOOR 


eo OUP Kg axi ME] 30D) = Un ЯУ 


кікшін ШЕГІ 
ы 


ПК ша 


2nd Е 


aK 
x 
ia) 
oP "n 
дір ; 
[о = m 
= 
(әоие ци apising) e 
9NINOVH = 
КТЕ = 
% 
E е. 
28 Ф 
ok | 
= 
AR 28 = О 
== 
5 с 
а бәз op 
is 5 „3 о 
ia ШЕ? 825 = 
ME 
Ој 
сч 


31 


30 


